Configuring Windows 2003 / XP SP2 to use IOS NTP server

In certain networks, it is difficult to get the time on your servers to be exactly the same as the NTP time on your network equipment. In this case, you want to force the Windows servers to use the same NTP Network time source as your routers and switches. But Microsoft Windows doesn’t understand NTP by default, it has its own ‘way’ of setting up NTP so you need a little tweak to make it compatible.

You should consider carefully the state of your servers before you do this. MS servers that are part of an AD tree really should get their time from the AD Master (or however the server folks have configured), if the clock varies you might find that some things don’t work well . I think this solution works best for Standalone server (workgroup mode) that are used as management or monitoring servers. YMMV.

To Work

Stop the Windows Time Service using the CLI.

C:Program FilesSupport Tools>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

Now wind the time forward a couple of hours so we can confirm that the NTP source is active and it works.

C:Program FilesSupport Tools>time
The current time is: 19:19:23.95
Enter the new time: 21:19
C:Program FilesSupport Tools>time
The current time is: 21:19:01.82
Enter the new time: (just press enter to do nothing here)

The peer list must be enclosed
Use the 0x8 flag to force W32time to send normal client requests instead of symmetric active mode packets (a la the Microsoft way). The NTP server replies to these normal client requests as usual.

Restart the Windows Time Service and then force a sync.

C:Program FilesSupport Tools>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.
C:Program FilesSupport Tools>w32tm /resync
Sending resync command to local computer...
The command completed successfully.

And, check the time

C:Program FilesSupport Tools>time
The current time is: 19:19:23.95
Enter the new time:

IOS configuration

Your IOS router will need to be configured as an NTP Master, should get its time from a suitable place. I also hook the NTP server on the Loopback interface so it works in HA networks designs. So the following configuration should be enough.

Configuration Mistake ?

If you need to change anything, or make a mistake it seems that the only way to change the settings:

w32tm [/? | /register | /unregister ]
? – this help screen.
register – register to run as a service and add default configuration to the registry.
unregister – unregister service and remove all configuration information from the registry.

I am not sure whether a reboot is mandatory to unregister, but I think that it is required. (please leave a comment if you know for sure)

Inspecting your Configuration

Open up regedit and navigate to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer

From a security perspective, you should always have an internal clock source for your network. Thus ‘ntp master’.

Therefore I usually make the two ‘most’ core switches the NTP master for the entire network. Then sync these two against an external time source (ready for an atomic clock in the future). Thus ‘ntp server’.

Firewall rules for pool.ntp.org are problematic in some companies since they may only allow IP addresses in firewall rules. Also, trusting an external clock is broadly regarded as insecure.

The “ntp master” command is only going to do something if you loose your external synchronization. By default, it has a stratum value of 7. Unless your external sources have a REALLY low stratum value, “ntp master” will never do anything. If you have two core devices, you may want to investigate “ntp peer” between the two. This will allow both to sync to each other should they loose their better valued upstream source.

FYI, some lines of content scroll out of the frame in your main content (see the line containing “w32tm /config /manualpeerlist…”). While there’s a horizontal scrollbar down the very bottom of the frame, it’s not immediately obvious. Especially if you’re copy and pasting (or manually typing) command-line examples…